From patchwork Sat Mar 15 01:57:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Konstantin Andreev <andreev@swemel.ru>
X-Patchwork-Id: 14017668
Received: from mx.swemel.ru (mx.swemel.ru [95.143.211.150])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6F46EC0
	for <linux-security-module@vger.kernel.org>;
 Sat, 15 Mar 2025 01:57:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=95.143.211.150
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1742003873; cv=none;
 b=oaYP9Hqzug6mmOMdTYrKkwmH4xMtHofDfwTe2QOJoEFlkxuSGhMVEM7cI5jgOXLdeoPUOVxlg/KlaBhsAIe4/C36u1vtSzUzuHZ6m+fRt/CPemwhb9B2tfGFIrQRaNJ4BG5polnNi8Ydg6Ls11PHskLpuAm0hrEfU2+TZtDRS0A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1742003873; c=relaxed/simple;
	bh=26SJ2/tCswHNrR2UCvZkJ8t5m7yS9/pTShJtAigNBQM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=h8DGnuncHU39muuLVWXw+2y40BmMBG6SYeDCz+gfTU3Y7XNst310rKwBLPc5nFntQqU/TjmpdXB9uMXQRasZe3m+OlCvJAaUmShNTLnaB4e3brTWEXX7U/FEKvEYAfTodM/7wR6YtZNj4nfX4zB5ml06SSqOdxBMivMadhEuKPk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=swemel.ru;
 spf=pass smtp.mailfrom=swemel.ru;
 dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru
 header.b=o5L+uw9w; arc=none smtp.client-ip=95.143.211.150
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=swemel.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=swemel.ru
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru
 header.b="o5L+uw9w"
From: Konstantin Andreev <andreev@swemel.ru>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swemel.ru; s=mail;
	t=1742003858;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=cyHxidQwaOpF8TWL293DR7KYPLslj7NUOb9Jyrz2ayA=;
	b=o5L+uw9wRDxhHr0A7l/2PivXIjDr4/eGcD/ZpsmooRnrtflFek+xzYDyg6rARMbF7QQ1os
	mvUYJMBpzT9LP7yCgUQFtwNEq00CSjCVF2dEBpmi5A3shOAWCgk/uq0PECpJ0BQIKifYUO
	hi97I+QmOxpAyXgjUkbXKdS+w4XoPMI=
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-security-module@vger.kernel.org
Subject: [PATCH v2 1/2] smack: fix bug: unprivileged task can create labels
Date: Sat, 15 Mar 2025 04:57:13 +0300
Message-ID: <20250315015723.1357541-2-andreev@swemel.ru>
In-Reply-To: <20250315015723.1357541-1-andreev@swemel.ru>
References: <20250315015723.1357541-1-andreev@swemel.ru>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

If an unprivileged task is allowed to relabel itself
(/smack/relabel-self is not empty),
it can freely create new labels by writing their
names into own /proc/PID/attr/smack/current

This occurs because do_setattr() imports
the provided label in advance,
before checking "relabel-self" list.

This change ensures that the "relabel-self" list
is checked before importing the label.

Fixes: 38416e53936e ("Smack: limited capability for changing process label")
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
---
v2: removed space between smack_known_web and .smk_known

 security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 99833168604e..80d68d2c228c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3732,8 +3732,8 @@ static int do_setattr(u64 attr, void *value, size_t size)
 	struct task_smack *tsp = smack_cred(current_cred());
 	struct cred *new;
 	struct smack_known *skp;
-	struct smack_known_list_elem *sklep;
-	int rc;
+	char *labelstr;
+	int rc = 0;
 
 	if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel))
 		return -EPERM;
@@ -3744,28 +3744,41 @@ static int do_setattr(u64 attr, void *value, size_t size)
 	if (attr != LSM_ATTR_CURRENT)
 		return -EOPNOTSUPP;
 
-	skp = smk_import_entry(value, size);
-	if (IS_ERR(skp))
-		return PTR_ERR(skp);
+	labelstr = smk_parse_smack(value, size);
+	if (IS_ERR(labelstr))
+		return PTR_ERR(labelstr);
 
 	/*
 	 * No process is ever allowed the web ("@") label
 	 * and the star ("*") label.
 	 */
-	if (skp == &smack_known_web || skp == &smack_known_star)
-		return -EINVAL;
+	if (labelstr[1] == '\0' /* '@', '*' */) {
+		const char c = labelstr[0];
+
+		if (c == *smack_known_web.smk_known ||
+		    c == *smack_known_star.smk_known) {
+			rc = -EPERM;
+			goto free_labelstr;
+		}
+	}
 
 	if (!smack_privileged(CAP_MAC_ADMIN)) {
-		rc = -EPERM;
+		const struct smack_known_list_elem *sklep;
 		list_for_each_entry(sklep, &tsp->smk_relabel, list)
-			if (sklep->smk_label == skp) {
-				rc = 0;
-				break;
-			}
-		if (rc)
-			return rc;
+			if (strcmp(sklep->smk_label->smk_known, labelstr) == 0)
+				goto free_labelstr;
+		rc = -EPERM;
 	}
 
+free_labelstr:
+	kfree(labelstr);
+	if (rc)
+		return -EPERM;
+
+	skp = smk_import_entry(value, size);
+	if (IS_ERR(skp))
+		return PTR_ERR(skp);
+
 	new = prepare_creds();
 	if (new == NULL)
 		return -ENOMEM;